Rolling-Code Remotes Make Replay Attacks Impossible — Fixed-Code Openers Are Clonable in Seconds

idea

Claim: Pre-mid-1990s garage door openers transmit the same fixed radio code on every button press, which can be captured and replayed by any scanner. Modern openers use rolling-code technology (HCS301/KeeLoq or equivalent) that generates a one-time encrypted code on each press — even capturing the code makes it useless for future entry. Any opener with dip-switch programming is a fixed-code system and should be replaced if security matters.

Mechanism

How fixed-code systems are exploited:

Fixed-code openers encode access as a static binary sequence, typically set via physical dip-switches on the remote and receiver unit. The system accepts any transmission of that code. An attacker can:1

  • Point a code-grabber (a scanner that records 315 MHz or 390 MHz RF transmissions) at the door from a parked car and capture the code when you use your remote
  • Use a universal remote programmed to brute-force all possible dip-switch combinations — older 8-bit or 10-bit dip-switch systems have only 256–1,024 possible combinations, exhaustable in seconds
  • Buy a second remote of the same model and set it to matching dip-switch positions

How rolling-code works:

The remote and receiver share a cryptographic key and a synchronized counter (implemented in chips like the HCS301 using KeeLoq encryption). Each button press generates a new encrypted code derived from the key + the current counter value. The receiver only accepts codes that:1

  • Decrypt correctly using the shared key, AND
  • Have a counter value within an acceptable window ahead of the last accepted value

Once a code is used, it is discarded. If an attacker captures a transmitted code, it has already been accepted by the receiver and will be rejected on the next attempt. The “RollJam” attack (jams the first press, captures code 1 and code 2, releases code 1 to the opener) is a real but complex attack requiring the attacker to be physically present with jamming + recording hardware during multiple button presses — far beyond opportunistic break-in.

How to tell which type you have:

  • Dip-switch settings visible inside the remote battery compartment = fixed code, replace
  • Remote labelled “Security+” (LiftMaster), “Intellicode” (Genie), or similar = rolling code
  • Opener purchased or installed after approximately 1996 = very likely rolling code
  • No visible switches but opener is clearly old = check the motor unit label for manufacture date

Scope

This idea covers the remote control / radio security layer only. It does not cover:

Idea Compass

North: Where this comes from

  • KeeLoq cryptographic algorithm (Microchip Technology) — the rolling-code standard used in most residential openers
  • Mid-1990s transition from mechanical dip-switch to rolling-code RF in the garage door opener industry

East: Tensions / failure

  • Emergency-Release-Cord-Fishing-Attack (Home Systems) — rolling code stops remote replay but doesn’t help if the attacker uses a wire hanger on the release cord instead
  • RollJam attack — active jamming-based rolling-code exploit; real but requires physical presence and equipment; not opportunistic

South: Where this leads

West: What’s similar

  • Smart home lock PIN codes — same pattern: static code = clonable; rolling challenge-response = resistant
  • WPA2/WPA3 vs WEP Wi-Fi security — same generation-shift pattern: older standard is cryptographically broken; replacement is standard in any new hardware

Sources

Footnotes

  1. GateRemoteSource, electronics supplier — fixed code vs rolling code security; HCS301/KeeLoq; cloning methods for fixed-code (code grabber, brute force, universal remote); retrofit options for fixed-code systems — https://www.gateremotesource.com/en/blog/garage-door-remote-cloning-security-guide 2